Educause Security Discussion mailing list archives
Re: For IP; Re: good read: Please do not change your password
From: Stephen John Smoogen <smooge () GMAIL COM>
Date: Fri, 16 Apr 2010 14:11:45 -0600
On Fri, Apr 16, 2010 at 9:55 AM, Gene Spafford <spaf () cerias purdue edu> wrote:
I posted this back in 2006. It is germane to this discussion: http://www.cerias.purdue.edu/site/blog/post/password-change-myths/
I will say that when I first read this in 2006 I was against it. Well, I was bombarded with 20 forwards of it when it came out as we were doing our 90 day change of passwords by the next one I think it went to 200. Pretty much any time this comes up at an organizations from passwords having been stolen to just a policy, this post is sent about why passwords should never be changed ( and yes I know that is not the intent, but it has been worded that way by a person who did not want to change their password after their account had been hacked because the password was known.) Over the years of not having to deal with security directly.. I have softened a bit.. and thinking about it this moment.. I wondered why. 1) Its not the message that Dr Spafford wrote, but how the letters forwarded them. Usually with a snide comment about how it is clear IT/IS were idiots and Gene Spafford agreed with them. Of course, I think that sets a bad precedent and makes the IT person getting it much less to agree with Dr Spafford's advice. 2) Having dealt with multiple breakins.. they are usually due to bad passwords. Having audited multiple sites, I have found that 20% of all passwords are never changed from the system default, and another 40% seem to be variations of a theme (either on the top 10 bad passwords or once you figured out that the schools mascot is a tank, then ESUtank#1 in various forms is going to get you a lot. [Or the company logo, phrase, etc]. Figure out a password and by the end of the week you probably have 30 or 40 others. 3) People have too many passwords, and will reuse the same one over and over again. I am no different... there are ones I use because I can't think of anything else and while I think I am being smart about it.. I am not. Add this with other factors of how many passwords a person might have, and you have a large target window. 4) Computer security people are usually in a very very passive aggressive place. You know there are problems, but getting change done only happens after an incident occurs and at that point your running on NoDoze+Dew for 6-7 days straight. And you know from past experience if you don't get what changes to occur right then, its not going to happen until the next incident. However you also know that you have only 0 budget to do whatever it is and the higherups will only sign off on stuff that is clearly well documented that other places are doing it. So you end up with 90 day policies that make no sense but they are the only rock you have at the time... and you fought so hard just to get those that you won't see they don't make sense until way later. So anyway, after 4 years.. I agree that forcing changes of passwords are a not a good security control and can lead to false senses of securities.. but on the other hand, I do not see us having any better tools that will be deployed by most organizations. Me I recommend that if you are a security person stuck in a passive aggressive place... go find a better job elsewhere. -- Stephen J Smoogen. Ah, but a man's reach should exceed his grasp. Or what's a heaven for? -- Robert Browning
Current thread:
- For IP; Re: good read: Please do not change your password Gene Spafford (Apr 16)
- <Possible follow-ups>
- Re: For IP; Re: good read: Please do not change your password Stephen John Smoogen (Apr 16)
- Re: For IP; Re: good read: Please do not change your password Russell Fulton (Apr 17)
- Re: For IP; Re: good read: Please do not change your password Don Cochran (Apr 17)
- Re: For IP; Re: good read: Please do not change your password Gene Spafford (Apr 21)
- Re: For IP; Re: good read: Please do not change your password Vik Solem (Apr 23)